The CIA Hack...still working.
By Noah Schiffman on Mon, 04/21/08 - 10:36am.Once this vulnerability was submitted by Harry Sintonen to Wired's Threat Level last week, it's been spreading like wildfire throughout the web. Discovery of a new XSS is nothing new, but does become noteworthy when it involves a domain like CIA.gov. While not a site 0wning exploit, it is an embarrassing example of poor input validation.
A search form at their site provides the unfiltered option to inject script running character strings. The query is processed and your customized site appears (at least that seems to be what most people are using it for-for those with more malicious intent....good luck, you'll probably win a free ride in a black Suburban). You can check out a comical example here. And yes, this is still working at the time of this post.
This isn't the first time the CIA has had to say "Uh-oh" in response to their website. Back in June 2007, John Leach revealed a XSS vulnerability on the CIA Freedom of Information webpage. He even created a site that allowed people to publish their own documents to the CIA FOIA page. (No longer works)
I wanted to see if perhaps they were acknowledging and/or addressing this issue. I searched their site, and under News & Information, I only found:
Their What's New on CIA.gov:
April 17: Project COLDFEET: Seven Days in the Arctic.
April 16: Chiefs of State and Cabinet Members of Foreign Governments, updated content posting.
Their latest press release page contained,
April 9: Transcript of Director Hayden's Interview on Meet the Press.
Nothing about this issue.
Fortunately, this site isn't associated with any sort of government agency that contains classified US documents.
What's their policy? Don't ask...don't tell...don't validate input? Or are they taking a page from the NSA's acronym of Never Say Anything?
Before we start criticizing the Chinese for the barrage of government related cyber attacks, maybe we should be shouldering some of the blame for lack of defenses.
Yes, ponies are cute, but I'm getting tired of my European friends making fun of me. Please recruit someone to fix this.
This blog will self destruct in 10 seconds. Send your covert comments to: greyhat@computer.org
- About Security Phreak
With 20+ years of industry experience, Noah Schiffman is a former black-hat hacker turned security consultant. Coding at an early age, he developed one of the early text/graphic editing applications and started his first software company in 1980 when he was 11 years old. With the advent of networking technologies, he soon mastered the art of manipulating telco switching systems, known as "Phone Phreaking". This soon led to his career as a computer hacker, performing penetration testing, reverse engineering, cryptographic attacks, corporate espionage, digital surveillance and other ethically questionable projects.
His clients have consisted of Fortune 500 companies and various government agencies.
He has authored a number of articles for SearchSecurity.com, on topics ranging from kernel mode and metamorphic viruses to corporate data loss prevention.
Most Discussed Posts
-
Network World, Inc
The Connected Enterprise